L2TP/IPSec VPN from Cisco Router to Meraki

fuhdan · ‎10-20-2016

Hi all

I need to do a L2TP/IPsec Client VPN from a Cisco Router (800 series) to a Meraki MX64. How can I do that? Are there any Configuration examples?

Thanks for any advice.

Best Regards,

Daniel

JP Miranda Z · ‎10-20-2016

Hi fuhdan,

Can you be a little bit more specific about what you need to do here, considering you can configure l2tp from a router to a MX i supposed you are trying to do something like this:

L2TPclient---------Router---------MX

So let me know if i am not correct, you are going to have clients connecting to the Router using L2TP and those client should be able to access the resources on the MX through a S2S tunnel, am i right?

Check this links out:

Router L2TP config:

https://supportforums.cisco.com/document/9878401/l2tp-over-ipsec-cisco-ios-router-using-windows-8

Router to MX S2S configuration:

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Cisco_2811_router_for_Site-to-site_VPN_with_MX_Series_Appliance_using_the_Command_Line_Interface

For Uturn on the Router you can check this NAT on stick config:

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6505-nat-on-stick.html

Hope this info helps!!

Rate if helps you!!

-JP-

fuhdan · ‎10-21-2016

Hi

Thanks for the quick reply. I have the following situation:

Client PC --- L2TP Client Router (dynamic IP) --- MX64 L2TP Server (static IP) --- Server

So the client PC it self shouldn't have to do a VPN. This should do the router. I don't need a site2site VPN. This is just a branch office with a couple of Clients (DHCP from the router).

Here the config snips from the router:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 4000
crypto isakmp key 123456 address 172.23.13.207
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
mode transport
!
crypto map L2TP_VPN 10 ipsec-isakmp
set peer 172.23.13.207
set transform-set ESP-AES256-SHA1
match address L2TP_TRAFFIC
!
archive
log config
hidekeys
!
!
pseudowire-class L2TP_PW
encapsulation l2tpv2
ip local interface FastEthernet4
!!
interface FastEthernet4
ip address dhcp
duplex auto
speed auto
crypto map L2TP_VPN
!
interface Virtual-PPP1
description L2TP Tunnel
ip address negotiated
ppp chap hostname vpn@bwo.ch
ppp chap password 0 ***
ppp ipcp address accept
pseudowire 172.23.13.207 1 pw-class L2TP_PW
!
ip access-list extended L2TP_TRAFFIC
permit udp host 172.23.13.135 eq 1701 host 172.23.13.207 eq 1701
!

Router Output:

show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.23.13.207 172.23.13.135 MM_NO_STATE 2002 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

Output Meraki Log:

Oct 21 18:36:27   Non-Meraki / Client VPN negotiation   msg: failed to pre-process ph2 packet (side: 1, status: 1).
Oct 21 18:36:27   Non-Meraki / Client VPN negotiation   msg: no proposal chosen.
Oct 21 18:36:27   Non-Meraki / Client VPN negotiation   msg: no suitable policy found.
Oct 21 18:36:27   Non-Meraki / Client VPN negotiation   msg: not matched
Oct 21 18:36:27   Non-Meraki / Client VPN negotiation   msg: ISAKMP-SA established 172.23.13.207[500]-172.23.13.135[500] spi:4ea2c261938f9448:264f7fca183b8632

Cheers Daniel

kkiriakides · ‎11-27-2018

Please inform me if you are able to send your advice regarding the problem that I have:

Trying to port open ports 4500 & 500 (UDP) to have access on ISR 4331 from Meraki MX84 device.

These ports are requested from Meraki to be opened to work client VPN.